Asked by:

Question

We are unable to add or connect to systems in Windows Admin Center using our Windows account for the connection. We are required to use smart card enforced domain accounts.

When adding a server, we receive "Credentials Needed. Access was denied to '[hostname]'. You can still add it to your connections list, but you will need to provide administrator credentials to the server."

When we add anyways and try to connect, we receive "Your credentials didn't work - try again".

The first error we received was "To perform a single sign-in using your Windows account, you might need to set up Kerberos constrained delegation." But this error goes away if we close the first browser session.
It comes back if we adjust allowed groups, but only for that session.

We have recently installed Windows Admin Center in our environment.

Our gateway is using a self-signed certificate on a Server 2016 machine.

The gateway, target machines, and accounts used are all domain objects on the same domain.

Our domain accounts require smart card.

Our domain accounts are in a domain group that is in the Gateway allowed groups as a SmartCardGroup type Gateway Administrators. We are logging into the system with these domain accounts.

We have also tried logging in as another user and running Google Chrome as the admin account.

We very briefly tried Microsoft Edge instead. We could not "run as" with this.

We have tried both the SmartCardGroup and the SecurityGroup type for our access group.

WinRM is active and configured on the Gateway and target machines. The service is running.

We can Enter-PSSession from the Gateway to the target machines. WMI is active.

We had added the target systems to the WAC inventory both individually and as a batch.

We have tried to connect to Server 2008r2, Server 2012r2, and Server 2016 target machines. We cannot connect to our Windows 7/10 machines due to group policy restrictions.

We have added the target servers as simple hostnames and FQDNs with the same result.

The gateway and target machines are in the same subnet. Firewalls have been ruled out.

WSMan:\localhost\Client\TrustedHosts is set to *

We have added the gateway's self signed certificate to the targets' local machine Trusted Root Certification Authority certificate store.

All replies

Kindly go through this article：https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/use/known-issues
. There is a known issue with Windows 10 that it does not have WinRM/PowerShell remoting on by default. To enable management of the Windows 10 Client, you must issue the command Enable-PSRemoting from an elevated PowerShell prompt. You may also need to update
your firewall to allow connections from outside the local subnet with Set-NetFirewallRule -Name WINRM-HTTP-In-TCP -RemoteAddress Any.

To automate things a bit more, you can also enable PSRemoting through GPO (Computer Policies\Administrative Templates\Windows Components\Windows Remote Management (RM)\WinRM Service - Allow remote server
management through WinRM) and also set the WinRM service to start automatically through GPO preferences.

Thank you for taking the time to respond. Unfortunately you suggestions did not help resolve the issue. The issue remains that we receive "Access Denied" when connecting to Windows Server machines using the "use my Windows Account
for this connection" setting.

Although I did read that document, I did not try those particular steps because my gateway and target are both Server 2016. We will not be not be managing any Windows 10 machines.

PSRemoting is already enabled on the target machines. We can successfully Enter-PSSession from the gateway to the target machines using windows account credentials.

The target systems are Server 2016, but I tried that firewall rule anyway. It did not resolve the issue. This issue persists for servers on the same subnet as the Windows Admin Center gateway.

I also completely turned off the firewalls on the target machine and the gateway. It did not resolve the issue. There is no network firewall or IDS between these systems.

Unfortunately I went through those two documents before posting my question. This issue is not addressed in those basic troubleshooting guides.

My issue remains that I get Credentials Needed - Access Denied when logging in using my Windows account with a smart card enforced domain account. I am having an issue with either using my Windows account for connections or passing a smart
card credential to Windows Admin Center.

If I remove the smart card enforcement from my account and log in with the manual username and password, I am able to add and manage any system. This is with the same domain account on multiple target systems.

I am also able to use my Windows credentials to log into multiple other products such as vmWare web consoles, SolarWinds, and Symantec.

I might have a more pointed question. Does Windows Admin Center require Resource-Based Constrained Delegation to manage a Windows Server machine from a a gateway on a Windows Server if both servers are on the
same domain?

If so, I may need to enable constrained delegation in order to use single sign-on, according to this document:

Hi,
According to "If I remove the smart card enforcement from my account and log in with the manual username and password, I am able to add and manage any system", we can try to use tools, such as process monitor, to see the difference between the two
authentication methods(remove the smart card enforcement from our account and smart card enforcement in our account ).

On the server where Windows Admin Center is installed, we try to install the certificate contained in the smart cart on that server(that server is the one we will add to the Windows Admin Center).

Best Regards,
Daisy Zhou

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact
tnmff@microsoft.com.

Thank you for your help. I believe the resolution to this issue may be beyond the scope of the TechNet forum, so I am going to open a ticket through software assurance.

For future readers,

I did install my certificate on the Windows Admin Center server without any apparent result. However, I didn't expect a result as my smart card's issuer is in all my servers' trusted root and the intermediary CAs are in their respective certificate
containers. The ability to log into the target system with my smart card and the target system's machine certificate is issued from the same root CA as my user certificate.

My smart card also has two certificates from the same issuer. I will be asking Microsoft support if having a second certificate somehow interferes with what certificate is passed to the target machine when selecting SSO. I will also be asking
if resource-based constrained delegation is required when all systems are on the same domain.